Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microelectronics Supply Chain Illumination

Similar presentations


Presentation on theme: "Microelectronics Supply Chain Illumination"— Presentation transcript:

1 Microelectronics Supply Chain Illumination
Defense Security Service Microelectronics Supply Chain Illumination UNCLASSIFIED//FOUO

2 Standard Supply Chain Illumination Methods
Supply Chain illumination efforts are typically a top-down analysis. Analysis usually only goes 2-3 levels down, has low confidence levels, and provides vague information. From a Global Hawk Supply Chain illumination product 350+ companies identified Mostly 1st - 3rd tier suppliers Despite the volume of information, the data does not address our CI concerns Source: Summary of following slides Red: 2nd-3rd Tier suppliers, no information pertaining to subcomponents of these systems Green: Low confidence distributor of unspecified integrated circuits UNCLASSIFIED//FOUO

3 “Show us the Program’s supply chain” vs. “What are our CI concerns?”
Threats (Actors) Foreign Intelligence Entity (FIE) Organized Crime Insider Threat Threats (Vectors) Degraded Components Malicious Components IP Theft Vulnerabilities Counterfeits & Clones 3PIP PCB Assembly and a few other areas… Critical Assumptions All DoD ASICs Using Trusted Flows Trusted Flows Are Secure Targeting a Commercial Product During Fabrication is Unlikely More Appealing Vulnerabilities that offer the same end results with more plausible deniability Source: Summary of following slides UNCLASSIFIED//FOUO

4 Counterfeits Could the DoD be reliant on Chinese-origin gray market microelectronics? The gray market sells rare and obsolete parts no longer manufactured Majority of microelectronics in sustainment are obsolete Large percentage of parts in acquisition are obsolete or will be within a year We are highly confident the PRC knows this as it has been openly and repeatedly published The same companies that import counterfeits often violate export control laws Introduces supply reduction vulnerabilities Introduces supply reliability vulnerabilities Source: Various, DSS reporting, arrests/indictments, EETimes, etc. UNCLASSIFIED//FOUO

5 Counterfeits Heavy collaboration with AFOSI and IPRC ~2012 during Operation Chain Reaction 400+ entities that appear to knowingly import counterfeits 1,000+ known, or highly suspected counterfeiters Some third-party test houses appear complicit Noticeably Damaged Leads Pass w/ No Explanation Can’t Be Bothered to Zeroize?! Limited X-Rays Performed - Typically 1% of Reel - Not Compared to Anything UNCLASSIFIED//FOUO

6 Operation Chain Reaction
Jeffrey Krantz (Harry Krantz, LLC), waived his right to indictment and pleased guilty to selling remarked integrated circuits to the DoD QSLD qualified distributor Jeffrey Warga (Bay Components) waived his right to indictment and pleased guilty to conspiracy to commit wire fraud Engaged in a scheme to defraud businesses by falsely representing that electronic parts sold were not from Asia, when in they had purchased from companies located in Asia Warga and his con-conspirators knew the parts were counterfeit Peter Picone (Tytronix / Epic International) indictment Conspiracy, Trafficking in Counterfeit Goods, Wire Fraud, Money Laundering, Aiding and Abetting Sources of counterfeits: China and Hong Kong Arrest of three Chinese nationals (HK Potential) Illegally export controlled semiconductors Trafficking in counterfeit semiconductors Harry Krantz: Bay Components: Tytronix: United States v. Peter Picone, Filed 25 Jun 2013 HK Potential “THREE CHINESE NATIONALS ARRESTED FOR BRAZEN SCHEME TO STEAL AND ILLEGALLY EXPORT MILITARY-GRADE SEMICONDUCTORS “, December 10, 2015 UNCLASSIFIED//FOUO

7 Clones Node: 0.2µm 0.22µm Silicon substrate: FD SOI
Chinese VS12C Xilinx XQVR300* Node: 0.2µm 0.22µm Silicon substrate: FD SOI Bulk or Epitaxial silicon Block RAM: 64,000 65,636 IMUX Outputs: 30 26 Source: A Low Power and Radiation-Tolerant FPGA Implemented in FD SOI Process academic paper IMUX Inputs: 140 132 VCCO: 2.5v 3.3v SEU Threshold LET: 4 1.2 SEL LET: Immunity 125 MeV·cm²/mg * Ignore that this image is almost certainly a counterfeit UNCLASSIFIED//FOUO

8 Clones DoD reliance on gray market + Limited ability to track semiconductors in the supply chain + Foreign ability to reverse engineer obsolete components that the DoD purchases = Critical risk Collaborative work between IPRCC, Counterintelligence Elements, JFAC, Prime and Sub-contractors critical to addressing this issue UNCLASSIFIED//FOUO

9 3PIP Heavy foreign academic focus on insertion of hardware trojans via Third-Party IP and EDA tools Academic settings/cost likely explain this heavy slant Low cost, low difficulty, more targeted, potentially high consequences compared to FPGA-based hardware Trojans during fabrication or test/assembly Complete inability to find anyone, in any program, that can tell us what 3PIP is incorporated into their designs Categorized PIP providers and 15,000+ cores More than 60% reside outside of North America Majority of encryption, processor, and interface cores offer are sold by foreign vendors, often from Asia or Eastern Europe Main point: Most focus appears to be on FPGAs, CPLDs, MCUs, MPUs, etc. UNCLASSIFIED//FOUO

10 Summary Both approaches have shortfalls
Most companies and IC members work top-down Top-down approach rarely provides a complete look at the microelectronic components used in DoD systems Can’t lose sight of why we’re mapping out the supply chain Higher levels of abstraction should also consider shipment interdiction, storage security, and other methods of insider threat, but rarely do Desired effect/outcome vs. completing a survey/performing a task UNCLASSIFIED//FOUO

11 Questions? Defense Security Service Adam Hauch
UNCLASSIFIED//FOUO


Download ppt "Microelectronics Supply Chain Illumination"

Similar presentations


Ads by Google